Long ago I tried to implement "A user should not be able to create a role that exceeds their own permissions."[1][2] I didn't really dig into the code enough to get it right, though.
If we ever hope to go to any sort of multi-tenancy, I think it is important to allow non "checkbox admins" to administer their own orgs. By "checkbox admin" I mean the superuser can do everything admins we have now with the checkbox on the user page. This flag bypasses all RBAC when checking auth. What I thought would work is a model where a user could never create a permission that exceeded their own. In this way, a checkbox admin could create an org admin. The org admin would have all available permissions but scoped to just a specific org, including roles. This org admin could then themselves permissions to other users but those permissions could never exceed the scope of the org. If I recall correctly, I implemented this by giving users two permissions, one from the user that created the other user and then the other the normal set assigned directly. Whenever RBAC was checked, the test would run through both. The parent user permissions could be displayed easily on the user in a separate read only or locked list. If the parent user gained new permissions (eg. they were added to org B in addition to the original org A), then they could grant the new permissions to their users. In summary, I am not at all a fan of the checkbox admin as the sole power user model. I believe the checkbox admin should be rare and the more common admin should be a user with all or a subset of permissions. Having worked with various RBAC implementations over the years and knowing the difficulty in getting them right, I really like the one implemented in foreman and believe it's very close to being completely suitable for multi tenancy use. [1] http://projects.theforeman.org/issues/8673 [2] https://github.com/theforeman/foreman/pull/2011 On Fri, Aug 26, 2016 at 9:10 AM, Marek Hulán <[email protected]> wrote: > Hello > > after some work that has been done on Roles and Organization/Locations > recently we realized that we tend to support very complicated feature. We > allow delegate role editing permissions to non-admin users. When > Organizations > and Locations are also enabled, users and filters can be scoped to them > too. > With Foreman 1.13, this will be available for Roles as well. > > Let's assume we have user scoped to Org A and B and he can edit roles. From > his point of view when editing role Manager, he updates only permissions > for > these two orgs but since the role is global it could affect other orgs > too. We > could add some check that the user can only edit roles that are associated > to > same or less orgs as is his account. > > But there's another problem - no organization set actually means "any > organization". So if user removes all org associations he or she would > make it > global so affecting all users. Again we could add some extra check for this > case. > > There's also a permission for what organizations and locations user can > assign > which is automatically checked after each save so user should also have > this > permission for all organization he's assigned to. > > Another challenge is how to tell users that they can't edit this role > because > of reasons described above? We'd have to say "you can't edit this role > because > it's being used also elsewhere but we can't tell you where". > > Well if you understood all I've written so far maybe it's just my feeling, > but > I find all of this unnecessarily complicated. I saw other apps that only > allowed roles modification to super admin users. Other users could still > assign > user accounts with existing roles but they couldn't modify the scope of > these > roles. > > Therefore my question, would simplification like this be considered > problem for > any Foreman user? Or can we let only admins edit roles and filters? > > Thanks for any feedback > > -- > Marek > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
